One of the Equifax security issues detailed by the unnamed researcher in a report by Motherboard said an Equifax website exposed the personally identifiable information (PII), including names, city and state locations, social security numbers and birthdates, though a forced-browsing bug.

Jake Williams, founder of consulting firm Rendition InfoSec LLC in Augusta, Ga., said this sort of bug was "inexcusable in this day and age."

"[Andrew] 'Weev' Auernheimer went to prison over exploiting a forced-browsing bug that revealed far less sensitive information than that revealed through the Equifax web applications," Williams told SearchSecurity. "That a company would be notified about a forced-browsing issue exposing PII and then fail to fix it in the current security climate borders on negligence."

Beyond that bug, the researcher said they found Equifax servers running outdated software and vulnerable to SQL injection attacks, allowing shell access to those systems.

Peter Tran, general manager and senior director of worldwide advanced cyberdefense practice at RSA Security, based in Bedford, Mass., said the Equifax security issues were not unique, but "the table stakes increase exponentially in PII-intensive businesses."

"Blind spots in vulnerability monitoring and visibility can go off the rails very fast, particularly over publicly web-facing assets open to overwhelming amounts of probing and reconnaissance," Tran told SearchSecuruty. "It's a double bubble: If one security layer pops, you can pop the other -- i.e., the classic SQL injection blind spot."

Equifax security response

That a company would be notified about a forced-browsing issue exposing PII and then fail to fix it in the current security climate borders on negligence.
Jake Williamsfounder of Rendition Infosec

With the disclosure of these problems to Equifax, the security researcher asked the company to at least take down the public access to these servers. However, Equifax didn't take action until June -- approximately three months after the company had been breached via an unrelated Apache Struts vulnerability and one month before the company detected that breach.

Hector Monsegur, director of assessment services at Seattle-based Rhino Security Labs, said the "entire situation is inexcusable." But, unfortunately, he said he could also "see how vulnerability warnings may have gone under the radar."

"This is common among organizations with large attack surfaces, vast amount of employees and no coordination between its various IT departments. Unless they drastically change their current state of security, I fear the situation may be getting worse," Monsegur told SearchSecurity. "Eventually, large organizations with lax security will be facing a reality check: There are consequences to major blunders in security. Attorneys general across the United States have been taking action against companies who are not properly safeguarding financial or customer information. Being 'too large to fail' is no longer a free pass."

Rick Holland, vice president of strategy for San Francisco-based Digital Shadows, said the revelation of these latest Equifax security issues makes it "even more difficult to accept former CEO Richard Smith's explanation that a single employee 'not doing their job' was the reason this intrusion occurred."

"Systemic issues in Equifax's vulnerability management program were more likely to have contributed to this breach than a single person. Given the nature of Equifax's data, they were highly likely to be targeted by a vast array of threat actors from nation states to hactivists to cybercriminals," Holland told SearchSecurity. "If their security program is as weak as it is being reported, then you probably had multiple threats actors stepping all over themselves as they probed and pivoted across the environment."

Jules Okafor, vice president of cyber risk programs at Fortress Information Security in Orlando, Fla., said the Equifax security issues appeared systemic.

"Experts attribute Equifax's breach to a combination of small, but incremental technical lapses. Yet, breaches at large enterprises can be directly attributed to failed processes and priorities -- innovation over security, single points of failure and a siloed approach to vulnerability risk management," Okafor told SearchSecurity. "These are systemic issues that impact a security team's ability to detect, respond and remediate critical threats in a timely fashion."

Join the conversation

2 comments

Register

I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.

Your password has been sent to:

Please create a username to comment.

When a company like Equifax, whose core business is centered around the collection of NPI, can't execute an effective information security program, how can we (Joe Q Public) expect organizations that gather NPI as a incidental part of their business to do so effectively? Even our own government has failed miserably in protecting NPI (reference OPM breech), so it is understandable that an overboding sense of hopelessness has set in. As with terrorism, we have to get it right 100% of the time and that just isn't humanly or technically possible. How long before the lawyers seize this class action honeypot?